It appears that there is no end in sight to WhatsApp’s security troubles. A fortnight after it sued the Israeli spyware firm NSO Group for exploiting a VoIP call vulnerability to plant its most sophisticated spyware Pegasus in victims’ phones, Facebook, its parent company, issued an advisory on November 14 warning users that “a specially crafted MP4 file” could do much the same.

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100. [Facebook Advisory]

What does this vulnerability allow you to do? Through this vulnerability (CVE-2019-11931), a malicious actor can send a specially crafted MP4 file through WhatsApp, which could then be used to remotely execute a code on your device (RCE) or prohibit you from accessing the service (DoS). It is not immediately clear if this remote code means that sophisticated spyware, such as Pegasus, could also be installed.

How dangerous was this vulnerability? As per VulDB (Vulnerability Database), a website that tracks all security vulnerabilities in electronic products, the current exploit price for this vulnerability is $5,000-$25,000. Higher amount indicates greater interest among vulnerability brokers. Its Cyber Threat Intelligence (CTI) score is 5.63, indicating that there is moderate to high level of risk that this vulnerability could be exploited. In contrast, the 0-day price of the May 2019 vulnerability was around $25,000-$100,000.

Is there a solution? As per the advisory, upgrading to the latest version is enough. 

Does the Indian government know about it? The Indian Computer Emergency Response Team (CERT-In) issued a vulnerability note on November 16 about this and gave it a “HIGH” severity rating. Since the language used to describe the vulnerability is different from the one used in the Facebook advisory, or on the American National Vulnerability Database, one can conclude that this vulnerability was actively processed by a human agent at CERT-In, thereby suggesting that there is an active recognition of the vulnerability by the government.

  • The direct URL link for the advisory is not visible in the address bar and has to be retrieved from the source code of the web page, nor can text from the link be directly copy-pasted. We have archived a copy of it here and have reached out to CERT-In for comment.

CERT-In WhatsApp

WhatsApp vulnerabilities have a history of mysteriously disappearing from the CERT-In website. After IT Minister Ravi Shankar Prasad’s statement on October 31 suggested that the government was not informed about the May 2019 vulnerability, the CERT-In report (dated May 17, 2019) was cited during a TV debate on October 31 to highlight that the government indeed was informed. This report, however, was mysteriously pulled down on November 1 and restored on November 2. Fortunately, people had archived a copy of it (available here).

What does WhatsApp say? A WhatsApp spokesperson told MediaNama, “WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.” Unlike their response after the Pegasus exploit, where they had said that select users were targeted by an advanced cyberactor; this time, they don’t think users have been affected. However, WhatsApp did not answer our following questions:

  • When was the vulnerability discovered by WhatsApp? When was it fixed?
  • How long was the vulnerability active?